Avast WEBforum

Avast Products => Avast Free Antivirus / Pro Antivirus / Internet Security/ Premier => Topic started by: zone12 on December 03, 2009, 04:05:26 AM

Title: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: zone12 on December 03, 2009, 04:05:26 AM
 The recent avast! VPS update has a serious flaw inside it, various files are being marked as "Win32:Delf-MZG (Trj)". Some of the common files being marked as this false positive include Skype and Spybot S&D.

  Apart from marking various files as this virus, the new update brought a crippling threat to the windows operating system. Accounts are vague but some are reporting that the new update may hinder the windows operating system's boot.If you have updated avast during the last 48 hours do not restart your computer!This is caused by avast scanning the starting files, during this process it will mark a file as hazardous and will not allow you proceed without aknowledgement, being that this is happening during the time in which windows loads there is no possable way to give aknowledgement to the program therefore putting the computer at a standstill.

Possable workarounds

1. Besure to determine if your avast has been updated by finding your Spybot S&D folder and scaning the updater.

2. Asuming that it detects it as the false positive, open up msconfig and uncheck avast scripts in the services tab and the startup tab.

2.1 Going to the avast settings (Right click on icon 4th down) then going to the trouble shooting tab.Finally check the second box"Delay of loading of avast" may also work
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: bonehenge on December 03, 2009, 04:28:12 AM
The recent avast! VPS update has a serious flaw inside it, various files are being marked as "Win32:Delf-MZG (Trj)". Some of the common files being marked as this false positive include Skype and Spybot S&D.

  Apart from marking various files as this virus, the new update brought a crippling threat to the windows operating system. Accounts are vague but some are reporting that the new update may hinder the windows operating system's boot.If you have updated avast during the last 48 hours do not restart your computer!This is caused by avast scanning the starting files, during this process it will mark a file as hazardous and will not allow you proceed without aknowledgement, being that this is happening during the time in which windows loads there is no possable way to give aknowledgement to the program therefore putting the computer at a standstill.

Possable workarounds

1. Besure to determine if your avast has been updated by finding your Spybot S&D folder and scaning the updater.

2. Asuming that it detects it as the false positive, open up msconfig and uncheck avast scripts in the services tab and the startup tab.

2.1 Going to the avast settings (Right click on icon 4th down) then going to the trouble shooting tab.Finally check the second box"Delay of loading of avast" may also work


Or as I had to since it completely crippled my Email, Uninstall and now that I know, I'll just have to sandbox EVERYTHING and wait for an update.

Really, this is bad... I am glad I was not inclined to reboot before I read this, now I'm glad I did uninstall as I know Pocomail is clean, avast would not even let me install it from a fresh download from the official site.

And can someone please make it so that when the "Hey I've just done something!" alert pipes up, there is a way to CLOSE it rather than wait 5 hours for it do drop back down, or open up a new window; gaming sucks with it, movies suck with it, intrusive "LOOK AT ME!" things just suck.

Ugh, I'm wearing no clothes without a AV at the moment, I feel naked.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: chgoguy7 on December 03, 2009, 08:20:35 AM
Win32:Delf-MZG [Trj] on hundreds of files throughout my system!!!!

This is an incredibly egregious error, Avast. I have suggested wholeheartedly and without hesitation that my friends and family convert to Avast and I am now red-faced in light of this immense screw-up. I am willing to stick with Avast as I have had many positive experiences with it in the past, but I MUST receive an e-mail acknowledging of the problem, that includes what specifically caused the problem, and how the issue will NOT BE REPEATED in the future. I need to assure all of my friends and family using Avast that the Avast is indeed safe, and frankly at this point my confidence is severely shaken.

Please explain what the heck happened and how this error will not be repeated in the future!!!
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: nice3z on December 03, 2009, 08:30:27 AM
This is worst than a virus!
Avast just managed to delete most of my exe and dll before I could stop it. Now I have to reinstall everything...
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 08:52:54 AM
Folks, before taking any radical action, update to the latest VPS version, then re-scan and restore any files in the chest.
Hopefully that will make the need to re-install programs unnecessary.

It's indeed a big glitch. News of it is all over the web. I was mainly unable to use the forum, due to server load, and I bet I wasn't the only one. Unfortunately what that meant is that a lot of the helpers with a bit above average knowledge might not have been available to help.

Some people have lost their OS. (Especially those who hit "delete" instead of "quarantine''.) But some have computers that won't boot, now.  :-[
Let's wait and see what the Avast folk have to say about it first, rather than starting a rant thread.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: crumply on December 03, 2009, 09:26:48 AM
What could they possibly say that would make a rant unjustified?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Marc57 on December 03, 2009, 09:28:32 AM
Here is the official statement: http://forum.avast.com/index.php?topic=51647
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: crumply on December 03, 2009, 09:30:55 AM
Okay.  Rant justified.  One of the largest software f-ups I have ever seen.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 09:38:52 AM
Sure. Rant justified. If it makes you feel better. Can't say I really blame you.
I think the largest one I ever saw was when Symantec issued an update that pretty much made all Chinese language versions of Windows unbootable.
Since a fair percentage of those installations were likely pirated, the jury is still out as to whether it was a good or a bad thing, IMO.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Rangersfan527 on December 03, 2009, 09:42:17 AM
When I had all those false positives with the VPS update, Avast said I should restart and do a boot-time scan to stop other viruses. So when I rebooted, everything that was flagged I put in the chest. This included
System Volume Information\_restore files and files with the original location as C:\WINDOWS\System32 and C:\WINDOWS\CREATOR. I'm afraid to reboot again and then have problems booting correctly. Besides restoring all the files that were put in the chest, is there something else I should do?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Marc57 on December 03, 2009, 09:43:27 AM
Okay.  Rant justified.  One of the largest software f-ups I have ever seen.

I'm not sure I'd say "Rant justified", Everyone makes mistakes, It's called being Human.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Vlk on December 03, 2009, 09:45:48 AM
When I had all those false positives with the VPS update, Avast said I should restart and do a boot-time scan to stop other viruses. So when I rebooted, everything that was flagged I put in the chest. This included
System Volume Information\_restore files and files with the original location as C:\WINDOWS\System32 and C:\WINDOWS\CREATOR. I'm afraid to reboot again and then have problems booting correctly. Besides restoring all the files that were put in the chest, is there something else I should do?

Please try restoring the files from the chest first.
Details here: http://forum.avast.com/index.php?topic=51643.msg436955#msg436955
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 09:48:10 AM
When I had all those false positives with the VPS update, Avast said I should restart and do a boot-time scan to stop other viruses. So when I rebooted, everything that was flagged I put in the chest. This included
System Volume Information\_restore files and files with the original location as C:\WINDOWS\System32 and C:\WINDOWS\CREATOR. I'm afraid to reboot again and then have problems booting correctly. Besides restoring all the files that were put in the chest, is there something else I should do?
I'd be inclined to hit f8 repeatedly during the bootup, and select "last known good" configuration. It's a bit of a guess on my part, frankly, or use a system restore point for a time before Avast did that boot scan.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Rangersfan527 on December 03, 2009, 10:06:49 AM
When I had all those false positives with the VPS update, Avast said I should restart and do a boot-time scan to stop other viruses. So when I rebooted, everything that was flagged I put in the chest. This included
System Volume Information\_restore files and files with the original location as C:\WINDOWS\System32 and C:\WINDOWS\CREATOR. I'm afraid to reboot again and then have problems booting correctly. Besides restoring all the files that were put in the chest, is there something else I should do?

Please try restoring the files from the chest first.
Details here: http://forum.avast.com/index.php?topic=51643.msg436955#msg436955

I did this and some files said "cannot be restored because the original location is not defined"
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: crumply on December 03, 2009, 10:07:47 AM
It's just a mistake?

Sorry I just crushed your kid with my SUV.  It was a mistake.  It's called being human.

A mistake is dropping a glass of milk.  Destroying operating systems all over the world qualifies as something more than a mistake.

Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 10:36:16 AM
Rangersfan527, can you list the files "unable to be restored, if there aren't too many?

The "System volume information " ones relate to system restore ponts. If they cannot be restored, you have (basically) lost system restore, until a new restore point is created. No great loss, if you can get Windows to boot OK.
Regarding "C:\WINDOWS\CREATOR", how many of these files are there, and do they have names like "remind_XP.exe"? If so, it looks to me like that might not matter too much; appears to be a reminder to purchase software from the manufacturer of the computer. Which is probably HP?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: trenton24 on December 03, 2009, 10:43:54 AM
I agree, rant justified! It should have been tested before release. I am one of the lucky ones, only a few programs broken. I'd be cursing avast to hell if I had to do a full restore from backup - its always nerve racking.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Frasier on December 03, 2009, 10:46:45 AM
There really should be an offcial info on the main website in all of the supported languages - how do you think, how many people do know English well enough to find this forum, or even were enough computer-literate to not destroy their system accidentally? It is just too big thing to hide under the carpet. A lot of people have their PC almost 24/24h on, with auto updates, so they got hitted. Folks even are not sure if it is safe to reboot the system...
Personally I just feel sorry for all those people who took these alarms seriously and simply trusted Avast. I've recomended your software to tens of people, as a reliable substitute of paid ones (in at least two cases this converted to a paid version in small companies). You see, people do make mistakes, but in case of an organization, when troubles come it is important to watch how a crisis is handled. Am I angry? No, just think I will have to change antivir after trusting Avastfor 4-5years, unless Avast will not be afraid to take the responsibility, and just face all these angry people... You can post an info about millions of clients, or contest in a window while updating - why not push an information about this mistake there? So EVERYONE could see it.
Guys, I do have some experience in marketing/PR, you are doing business in a senstitive area, where trust is the basic factor (even more important than in case of financial institutions), so please do not mess it up. Take the blame, takethe hit, but save the reputation.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 10:59:40 AM
Hey guys, yeah the rant may be justified, but what's the point sounding off right now?
Alwil aren't going to try and sweep this under the carpet.
As has been said, it's too big. People have lost their OS's. Maybe thousands.

I'm confident there will be a full apology/report of what happened/audit etc published when they know it themselves.
How about holding off, at least til then?
I'll bet they are being as hard on themselves as anyone else will be. And I'll bet they know exactly how serious it is. At the moment, they are working on help guide/fixes for those affected, and no doubt analyzing the mistake/failure/what-ever-it-was. (No-one, at least outside the company, knows, yet.)
That would appear to be the correct priority to me.

When a plane crashes, months or even years elapse before the accident report is released.
But always there are those that are ready to blame the dead pilot even before the preliminary report is out, which usually takes 2-6 weeks.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Rangersfan527 on December 03, 2009, 11:30:41 AM
Rangersfan527, can you list the files "unable to be restored, if there aren't too many?

The "System volume information " ones relate to system restore ponts. If they cannot be restored, you have (basically) lost system restore, until a new restore point is created. No great loss, if you can get Windows to boot OK.
Regarding "C:\WINDOWS\CREATOR", how many of these files are there, and do they have names like "remind_XP.exe"? If so, it looks to me like that might not matter too much; appears to be a reminder to purchase software from the manufacturer of the computer. Which is probably HP?

Yes my computer is an HP.

The files unable to be restored shown by avast are:

C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
C:\hp\recovery\wizard\SWR_Wizard.exe
C:\WINDOWS\system32\swreg.exe
C:\WINDOWS\system32\swxcacls.exe
Also 3 System restore points.

The C:\WINDOWS\CREATOR file wasn't listed as an error in restoring, so avast says it's restored but the original file name was C:\WINDOWS\CREATOR\WNASPINT.DLL

As for the other files that avast said were restored, I don't know if they really were. Would doing a system restore to say Tuesday be the best move?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Vlk on December 03, 2009, 11:34:32 AM
What error message (or code) did you get for these files?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Vlk on December 03, 2009, 11:46:01 AM
It's just a mistake?

Sorry I just crushed your kid with my SUV.  It was a mistake.  It's called being human.

A mistake is dropping a glass of milk.  Destroying operating systems all over the world qualifies as something more than a mistake.

Crumply, with all respect, do you have any question (e.g. need help fixing the mess caused by the buggy avast update) --or did you register on the forum just to rant?

We have assessed the situation and we believe that in the vast majority of cases, we can undo the mess (or at least advice how to do it).

Thanks
Vlk
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 11:47:33 AM
Right.
You will have to re-install /re-download Smitfraudfix if you still need to use that program. (I think the version changes regularly, and it is best used under guidance.)
It probably will not work any more. Four files relate to it.

Of the remaining files, the HP recovery wizard is a worry. I haven't the foggiest how important it is, as a feature of your computer. Suspect that it can not be restored because the original location is part of the (normally) protected area of the disk, relating to the recovery console.
This may be important.
If you can extract/send to a folder, and wait for more expert input, that would be wise. You may have to get in touch with HP about this one.
Worst case scenario with not having it available, is that you go to restore factory settings, it won't be able to do so.

The system restore points are, likewise, in a protected area of the disk. You can probably consider them nuked.

I definitely would not use system restore at this point. It can not re-create files that are missing, (Such as the wizard for the recovery console.) but may do more harm than good, even if you can find a restore point that works. (We know that 3 of them won't.)

Is there any reason given for the inability to restore the hp wizard file? Original location not defined?

Best wait for more expert help, sorry. And do not delete those files from the chest. But at least your computer should be functioning normally?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Rangersfan527 on December 03, 2009, 11:55:47 AM
What error message (or code) did you get for these files?

FileID: 0000000044  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
FileID: 0000000043  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
FileID: 0000000057  Program cannot restore the following file, because the original location is not defined: C:\hp\recovery\wizard\SWR_Wizard.exe
FileID: 0000000138  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swxcacls.exe
FileID: 0000000137  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swreg.exe
FileID: 0000000113  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023644.exe
FileID: 0000000104  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023635.exe
FileID: 0000000094  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023625.exe
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jesydney on December 03, 2009, 11:56:36 AM
 :'( :'(Avast, this is a extremely serious error but apology accepted. PLEASE, please do not do this again. It is annoying.

This is one of the reason that I DUMPED, anything from symantec. Please do not follow in their footsteps like Trendmicro, Bitdefender, CA and second worst of the lot Macafee.

Avast has been excellent for so many years. I've used Avast for so many years that I've lost count. I've told all my friends and family. Have also managed to disinfect their computers without resorting to reinstall winlows.

In Australia, its especially bad, time difference while avast sends out the update, we are awake and using the pc.

Fortunately, I just recently had Acronis take a full image of my system. BTW I do not keep my data files in the same drive. So I had to re-image back, take out the LAN connection to stop Avast from updating so I can tell Avast to stop autoupdate in the settings.

So AVAST please do an inhouse test before sending it to the update server.
 ;) Continue the good work tho'..
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Vlk on December 03, 2009, 11:59:49 AM
What error message (or code) did you get for these files?

FileID: 0000000044  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
FileID: 0000000043  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
FileID: 0000000057  Program cannot restore the following file, because the original location is not defined: C:\hp\recovery\wizard\SWR_Wizard.exe
FileID: 0000000138  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swxcacls.exe
FileID: 0000000137  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swreg.exe
FileID: 0000000113  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023644.exe
FileID: 0000000104  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023635.exe
FileID: 0000000094  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023625.exe

Interesting. I'd recommend using the "Extract" feature (instead of "Restore") and put the files in their respective locations manually. At least for the files outside System Volume Information, it should work OK.

Now for the files in System Volume Information is may be a bigger problem because you won't have access rights to write to this location (only the SYSTEM account has them). But the files are not important anyway, unless you plan to do a system restore (in which case it wouldn't restore the three executables)..

Thanks
Vlk
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Jonathan - FrostHost.org on December 03, 2009, 12:03:52 PM
Interesting, i had this alert on 2 of my games,

CrossFire and San Andreas multi-player.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 12:09:59 PM
VLK,
How is RangersFan to know the original location for "C:\hp\recovery\wizard\SWR_Wizard.exe"? Is there a clear path available via Windows explorer to move this?
I was worried it might be a protected/read only area.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: MSMStud on December 03, 2009, 12:25:00 PM
Hey guys, yeah the rant may be justified, but what's the point sounding off right now?
Alwil aren't going to try and sweep this under the carpet.

Must...not...use...all caps...

The point is this is nowhere on the web EXCEPT on blogs and forums.

This needed to be on the front page of AVAST.COM hours ago.

At your job outrage might not be triggered by destroying others productivity, but at mine (and VLK's) readily acknowledging my error in a well-communicated fashion ASAP would be the respectable thing to do.

 >:(

Crumply, with all respect, do you have any question (e.g. need help fixing the mess caused by the buggy avast update) --or did you register on the forum just to rant?
:o
Indignance buffer engaged. Will purge in 10...9...8...
Thank you for being the sole PR on this, and perhaps the most courteous and attentive Avast/Alwill web presence. I recognize errors happen, and I am a leeching parasitic freebie user, so let me say I do not equate your error with murder/manslaughter.

Indignance overflow. Grab  a life-vest.
We recognize you have a choice in trolls and flamers, and appreciate your time. There are 20.5 moderators in line ahead of you. Your sanity will be addressed after we've spewed pea soup on all callers we perceive as vicariously accountable.

Furthermore, you blew up the world. And the moon.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: bggm on December 03, 2009, 12:26:34 PM
I was always fond of Avast, and that mistake didn't make me lose trust in it - though it made me a little concerned. I hope nothing like that happens again, but there were dozens of ways to minimize and in my case nullify all damages (a little thinking doesn't hurt!).
All those who call for vengeance upon loosing many crucial programs or even OS - it is partly your fault as well. Anti-virus and anti-spyware programs are only of help for securing your computers against destruction, the most important thing is having common sense - why didn't you find it weird that suddenly all your files has the same infection all over the disk soon after av update? Do you think that there is a chance of you having one of the newest viruses all over the disk? Well, that could happen if you were to install/download/run programs that you don't know or trust(or visit certain dangerous sites), and if you run programs from unknown sources, that's your fault for having viruses. Of course I don't say that Alvil is not guilty, but a letter of apology and help with restoring lost files is sufficient enough, so refrain from hanging them by the necks for your lack of sense.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 12:30:07 PM
Hi there, seem to have had the same problem, currently googling this problem on my mums computer because my internet hasnt worked since it happened

Regrettably, i may have panicced and deleted the first 1 or 2 'trojans' that were found
The rest were sent to chest
I've tried (although it didnt acknowledge that i had) to restore the files
Looking for some help as to what might have caused my internet to stop working :/
Unfortunately i cant seem to get online to update Avast to the newer update
So im a bit stuck

Any help appreciated
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: paul1nz on December 03, 2009, 12:30:59 PM
Hi

I had the same problem, but because of receiving a number of false positives in the past I decided to ignore the warnings with the intention of verifying the result before I took any action. The sheer number of alerts made me decide that there had been error in the definition file or the program update that I installed today.

End result, no damage done.

Paul
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jaikrishna on December 03, 2009, 12:38:10 PM
Oh my god!!
I never thought that avast would do like this.

I nearly got 1000s of such files in my computer.
I chose to move all to chest. ???
The chest got filled up and it was showing that there is no space in chest. >:(
I was forced to delete them. Now nearly more than 12GB of files are lost. :'(

Hope avast does not do it again
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: sbruce45 on December 03, 2009, 12:40:23 PM
Just to let people who had problems know how I reacted when I suddenly started getting the alerts.  I saw which file it was (part of my firewall), made note of it, figured something was wrong with Avast to report on my firewall, made note of the file, and, like paul1nz, said to ignore it.  As the reports continued, all having to do with my firewall or other security software, I continued to ignore them and then paused the Avast standard shield.  The alerts stopped and I was able to continue.  I requested an update of Avast and there was one, and even rebooted successfully.  But the alerts still came, so I paused the standard shield again.  Then I checked this forum and found that others had problems as well as the forum server (being so slow).

In the morning, I re-checked this forum, checked that I had the updated version (performed automatically overnight), and then resumed the standard shield.  All was OK.  I looked at the Avast log and even though it reported the update for 091203-1 it did not show it had installed 091203-0.  It only showed that new versions were available for the last 2 days.  Thus, even the log was wrong.  But it did show the alerts I got before I stopped the shield.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 12:40:58 PM
mikereid,
Do you have a record/memory  of the files you deleted? (Names, locations? Deletion always a bad first move. No options following.)
For restoring from the chest, the correct procedure is to start Avast, then when the GUI is up, open the chest, right click each file, rescan it, and, if clean, right click again, select "restore".
That what you're doing?

Why your internet stopped working is related to the deleted files, most likely. So if you can find the names ( of the files, not the detections,) that would help.

jaikrishna,
Didn't it occur to you when you got thousands of detections that something might not be quite right?
I mean, sorry, but there has to be a little common sense here, somewhere?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: arrie on December 03, 2009, 12:46:55 PM
Well I am in Australia.  This afternoon at 3pm I was setting up a new (2nd hand) computer, using a memory stick from my main computer to it to transfer programs I wanted, when bingo....Avast went wild on both computers.  I have used Avast for 5 years or so, put it on all my friends/families computers, recommended it etc.  Of course I thought it was a nasty off the new 2nd hand computer, so of course I sat here and put all the files in the chest, a lot of which won't restore.  This is disgraceful on Avast's part as I have been to their website and there is not one word of how to fix our problem.  Why can they not at least put something up on their website to help us out of this mess?  I have tried the Restore/Extract, but some files just will not, and it leaves me with no option to back up everything again and do a clean install.  I am furious with them.  We rely on them.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Rangersfan527 on December 03, 2009, 12:49:11 PM
What error message (or code) did you get for these files?

FileID: 0000000044  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
FileID: 0000000043  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
FileID: 0000000057  Program cannot restore the following file, because the original location is not defined: C:\hp\recovery\wizard\SWR_Wizard.exe
FileID: 0000000138  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swxcacls.exe
FileID: 0000000137  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swreg.exe
FileID: 0000000113  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023644.exe
FileID: 0000000104  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023635.exe
FileID: 0000000094  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023625.exe

Interesting. I'd recommend using the "Extract" feature (instead of "Restore") and put the files in their respective locations manually. At least for the files outside System Volume Information, it should work OK.

Now for the files in System Volume Information is may be a bigger problem because you won't have access rights to write to this location (only the SYSTEM account has them). But the files are not important anyway, unless you plan to do a system restore (in which case it wouldn't restore the three executables)..

Thanks
Vlk

Extracting worked for the HP recovery file, I followed the path of the original location. I had to change the show hidden folders option but I found the location and put the file back. Then I clicked the icon and it seems to be working. I didn't proceed with a system restore or system recovery obviously but it allowed me to go to each option. So hopefully, if I ever need to use it, it'll work. I think I will leave the copy of it in the chest alone, same goes for any other file I extract. Thanks Vlk and Tarq for the help!
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jaikrishna on December 03, 2009, 12:51:28 PM
I actually deal with so many viruses that i get many detections a day.(While Network shield scans my downloads)

I thought that avast might have missed a virus which would have took advantage and spread to the computer

But, There was a clue because avast found the virus in random files, not contagious.
Usually viruses affect files that were opened, but files that i have not opened for years were shown as viruses.

I am a experienced and advanced computer user. If it has fooled me so much, then think about novices.
Eventhough, You are right, I should have had some more common sense.

I don't know how avast tackles the issue, they should inform all their users about this issue immediately to avoid panic
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 12:53:24 PM
Unfortunately not.
Kinda panicced

I have a screenshot of my Avast log viewer and also one of my Avast chest if thats any use, although im not sure what id do with them

Computer seems to be running fine, just the internet is the problem, and its fine from my mums so obviously not a connection problem
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: bggm on December 03, 2009, 01:00:57 PM
I can see legends being passed on for many generations about how a paladin named Alvil chose the dark side went the wrong way, causing mischief and destruction all over the unaware world xD
But seriously - I hope you guys deal with the lost data and that Avast won't do anything like that again.

@mikereid: if it's about updating avast, then download installation file though your mum's pc and install it on your pc from a pendrive. Try 'restore' option on the clean files in the chest, if that doesn't work, try extracting them and putting in place by hand - then reboot pc(be sure to have corrected av database)
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 03, 2009, 01:01:41 PM
Quote
Extracting worked for the HP recovery file, I followed the path of the original location. I had to change the show hidden folders option but I found the location and put the file back. Then I clicked the icon and it seems to be working. I didn't proceed with a system restore or system recovery obviously but it allowed me to go to each option. So hopefully, if I ever need to use it, it'll work. I think I will leave the copy of it in the chest alone, same goes for any other file I extract. Thanks Vlk and Tarq for the help!
Nice, looks fixed, good job, and good to know how it worked.

Quote from: jaikrishna
I am a experienced and advanced computer user. If it has fooled me so much, then think about novices.
Oh yes. Lots of folk have been affected by this one.
If you are routinely getting that many infections a day, I surmise that maybe you collect them for a living, or are routinely visiting crack sites, in which case I would have thought you'd know to have a backup strategy well and truly in place.
Forgive me if I'm wrong, but that many detections a day just is not normal.

mikereid if you can list the detections from the lig viewer for the deleted (not quarantined) files (how many did you say you'd deleted?) that may help.
Hopefully someone will reply to your problem; I need to sleep. If not, Google "LSPFix" and "Winsock fix", download from a reputable source (majorgeeks, filehippo) and try them out.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 01:03:06 PM
Is there an installation file for the latest update?
Even though i doubt thats going to get my internet working again
:(
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: nmb on December 03, 2009, 01:04:55 PM
Is there an installation file for the latest update?

Here it is : http://files.avast.com/iavs4pro/vpsupd.exe

thanks
nmb
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jaikrishna on December 03, 2009, 01:08:54 PM
Quote
Quote from: jaikrishna
I am a experienced and advanced computer user. If it has fooled me so much, then think about novices.
Oh yes. Lots of folk have been affected by this one.
If you are routinely getting that many infections a day, I surmise that maybe you collect them for a living, or are routinely visiting crack sites, in which case I would have thought you'd know to have a backup strategy well and truly in place.
Forgive me if I'm wrong, but that many detections a day just is not normal.

Yes i had a backup of my C drive, and i recovered it. But after recovering and updating avast, it again started detecting viruses.
They must have made a patch to this issue before i recovered or atleast after the recovery was complete(which took an hour)
But, they were too slow which made me to delete the files, because i thought that it was a latest virus.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 01:16:32 PM
Nothing seems overly suspicious

Adobe\syst.exe
AdobeUM\fffsrz.dll
Ahead\Diviant.exe

There are also a couple of files that dont seem to carry the Delf/Zbot trojan name
Can i assume they are actual viruses?

They are:

win32:ertfor
win32:alureon-EI
win32:malOb-W
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: bggm on December 03, 2009, 01:28:03 PM
win32:ertfor
win32:alureon-EI
win32:malOb-W
Almost for sure these are viruses - if you doubt, rescan them in chest.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: arrie on December 03, 2009, 01:37:18 PM
jeez, now even my posts won't go through >:( can anyone help on the programs that wouldn't restore from the chest?  and can anyone help me to help the dozens of people I have converted to Avast to deal with this tomorrow?  I have told those I can contact to leave their computers off for now
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: MSMStud on December 03, 2009, 01:41:49 PM
jeez, now even my posts won't go through >:(
LULZ they've got Avast! Antivirus on their servers and its eating inflammatory posts!

IT'S SKYNET! THE MACHINES ARISE FROM ALWIL!  SAVE YOURSE--*kkkrrrrzzzzssssccchchhttt*

;D
MSMStud has updated his status to "Douche with nothing useful to contribute, who will STFU now."
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: nmb on December 03, 2009, 01:52:25 PM
Hello arrie,

the problem is because of the forum server being overloaded.
you can extract the files instead of restoring the files. extract it to a temporary folder and copy it to the original location(the location is also visible in the chest).

thanks
nmb
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: richteratmosphere on December 03, 2009, 02:03:08 PM
When avast reported spybot as being malware, I suspected that it was a false positive.  I didn't send anything to the chest or delete any of the files that ended up being false positive.  I checked the forum and confirmed that a lot of people were experiencing false positives.  Programs like Spybot were rendered unusable for a while, but my avast updated to a more current virus database file, and now I am not experiencing any problems.  My Windows XP booted sucessfully.

After noticing the problem with avast on my desktop, I quickly turned on my laptop and disabled automatic virus database updating so that my laptop wouldn't be affected until this problem was sorted out.  Since a new virus database file has been released, the next time that I turn on my laptop, I will re-enable automatic virus database updating.  There is a red font notice about this Win 32:Delf-MZG problem on the avast site.  I am glad that this problem has been addressed by avast, and grateful that there doesn't appear to be any permanent damage to my OS because of this.

I've been using the free version of avast for around two years now, and this is the first major problem that I have experienced.  Overall, I am still really impressed with avast.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: nmb on December 03, 2009, 02:20:23 PM
Hello richteratmosphere,

it is all about using common sense and that is what you have used and saved your pc from the wreck. thanks for those supporting words in bad times.

thanks
nmb
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: DavidR on December 03, 2009, 03:11:45 PM
Ensure you have the latest VPS version 091203-1  as a number of false positives on this malware name, Win32:Delf-MZG have been corrected. So rescan this file within the chest if that is where it is and Restore it if no longer detected.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jaikrishna on December 03, 2009, 04:27:35 PM
For those who have lost their precious files, by clicking 'Delete' button, you can just recover them using a file recovery software such as Recuva which comes from makers of CCLeaner.

You can find it at http://www.piriform.com/recuva

Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: street_lethal on December 03, 2009, 05:23:03 PM
I've said it before i'll say it again, always a good idea to create backup images folks.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: street_lethal on December 03, 2009, 05:31:02 PM
I was always fond of Avast, and that mistake didn't make me lose trust in it - though it made me a little concerned. I hope nothing like that happens again, but there were dozens of ways to minimize and in my case nullify all damages (a little thinking doesn't hurt!).
All those who call for vengeance upon loosing many crucial programs or even OS - it is partly your fault as well. Anti-virus and anti-spyware programs are only of help for securing your computers against destruction, the most important thing is having common sense - why didn't you find it weird that suddenly all your files has the same infection all over the disk soon after av update? Do you think that there is a chance of you having one of the newest viruses all over the disk? Well, that could happen if you were to install/download/run programs that you don't know or trust(or visit certain dangerous sites), and if you run programs from unknown sources, that's your fault for having viruses. Of course I don't say that Alvil is not guilty, but a letter of apology and help with restoring lost files is sufficient enough, so refrain from hanging them by the necks for your lack of sense.

I concur.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Vlk on December 03, 2009, 05:41:50 PM
Guys, please, stop contemplating whose fault it was or wasn't... there are many people who're now in trouble because of avast, and it's necessary to help them.

Thanks
Vlk
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: GoldenSt8r on December 03, 2009, 06:50:01 PM
It all happened so fast.  Sirens were going off, popups all over the place, and the next thing I know my system was rebooting and running a boot scan.  Dozens of files were being reported infected by the Win32: Delf-mzg virus, and each one wanted me to make a decision - delete, move, or repair, etc.  Some couldn't be moved, some couldn't be repaired, and as a result many were deleted.  Yikes!  And System restore wouldn't work.  I figured I was going to have to reformat what had been a perfectly running system, but first I wanted to know exactly what had been deleted.  

I searched the Avast site and many of the other forums and couldn't find the answer.  I ran a search on my system asking what files had been changed since 12/2 and stumbled onto the file I needed.  I'm posting this for anybody else who experienced the same thing.  It seems this should be posted prominently on the Avast site for others who need more help than just restore files from the chest.

Find and Open the file called aswboot.txt.  It will print a list of all of the files/programs deleted during the boot scan.

From my list, I've reinstalled A-squared  and HostMan and a few others.  I'm left with not knowing what to do about the following files...

File C:\COMPAQ\Audio\RTHDCPL.exe is infected by Win32:Delf-MZG [Trj], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Deleted
File C:\COMPAQ\Audio\SEC508.Skn is infected by Win32:Delf-MZG [Trj], Deleted
File C:\Documents and Settings\All Users\Application Data\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.msi is infected by Win32:Delf-MZG [Trj], Deleted
File C:\Program Files\Compaq\SetRefresh\SetRefresh.exe is infected by Win32:Delf-MZG [Trj], Deleted
File C:\SWSetup\SP36746\program files\COMPAQ\SetRefresh\SetRefresh.exe is infected by Win32:Delf-MZG [Trj], Deleted
File C:\SWSetup\sp39852\WDM\MicCal.exe is infected by Win32:Delf-MZG [Trj], Deleted
File C:\SWSetup\sp39852\WDM\RTHDCPL.exe is infected by Win32:Delf-MZG [Trj], Deleted
File C:\WINDOWS\CREATOR\Plugin\WNASPINT.DLL is infected by Win32:Zbot-MKK [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\WINDOWS\CREATOR\WNASPINT.DLL is infected by Win32:Zbot-MKK [Trj]

I don't use Microsoft Office so I'm not worried about that one, but does anyone know anything about the others on this list and how to reinstall them?  

Thanks
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Foggy on December 03, 2009, 07:54:39 PM
I was always fond of Avast, and that mistake didn't make me lose trust in it - though it made me a little concerned. I hope nothing like that happens again, but there were dozens of ways to minimize and in my case nullify all damages (a little thinking doesn't hurt!).
All those who call for vengeance upon loosing many crucial programs or even OS - it is partly your fault as well. Anti-virus and anti-spyware programs are only of help for securing your computers against destruction, the most important thing is having common sense - why didn't you find it weird that suddenly all your files has the same infection all over the disk soon after av update? Do you think that there is a chance of you having one of the newest viruses all over the disk? Well, that could happen if you were to install/download/run programs that you don't know or trust(or visit certain dangerous sites), and if you run programs from unknown sources, that's your fault for having viruses. Of course I don't say that Alvil is not guilty, but a letter of apology and help with restoring lost files is sufficient enough, so refrain from hanging them by the necks for your lack of sense.

Common sense tells me to do what the computer asks me to do.....especially when you try to boot up and fail and the only option you have is to do as the computer asks and run a restore to factory default. That was my only option if I wanted to get up and running. :(
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 08:08:58 PM
Couldn't find an aswboot.txt file - only an application aswboot, whats the location of the file?

Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: GoldenSt8r on December 03, 2009, 08:43:31 PM
Couldn't find an aswboot.txt file - only an application aswboot, whats the location of the file?



C:\ProgramFiles\Alwil Software\Avast4\DATA\report
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: nmb on December 03, 2009, 08:54:03 PM
@GoldenSt8r

Quote
C:\Program Files\Alwil Software\Avast4\DATA\report

it will be available there if you have done a boot scan.

nmb
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 09:51:19 PM
a boot scan? sorry im not the most literate computer user!
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 03, 2009, 11:37:13 PM
Any suggestions? :(
Im all out of ideas
Computers fine bu still no internet since this
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 12:08:07 AM
mikereid,
Alureon and Malotob (which you say are in the chest) are a right pain to remove.
Seems a funny coincidence, but until you know otherwise, those infections should be treated as real.
They could be the reason you have no internet, or it could be some files that were deleted causing it.

Best thing first is to make sure the infection is not still present, look at replacing lost files second.
I'd try MBAM or SAS. (SAS has a toolkit that can effect certain internet-based repairs.) Get MBAM Here (http://www.malwarebytes.org/mbam.php) (free version - blue) and SAS here (http://www.superantispyware.com/download.html) (free version, lower download.)
The instructions below are for MBAM.

-Download the installer file,"mbam-setup.exe" using a good computer, to a clean USB stick (Flash drive.)
-Copy the installer to the good computer (desktop), and install it on that computer, by double clicking the file and following the prompts.
-Update it on that computer.
-Once the update is complete, locate the folder ''C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" (if using vista the path may start with "users" rather than "documents and settings" and locate the file "rules.ref". This file will be about 3.2MB in size. OR, run a computer search for the same file.
-Once the file is found, copy it to the flash drive.
-Check on the sicj computer which database is currently installed in Avast. Right click the tray icon, left click "about" and look to the VPS version. If that version is 091203-0, (ie: it hasn't updated to the version that fixed this) stop the on-access protection in Avast, and pause all providers.
-On the good computer,do the "safely remove hardware" thing, remove the flash drive, plug it into the sick computer.
-Copy the installer file "mbam-setup.exe" to this computer.
-Run the file by double clicking it.
-Once it has installed, navigate to the same folder C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware and copy the "rules.ref" file from the flash drive to the sick computer. Windows will produce a prompt: "File already exists; do you want to replace this file (date) with this file(date)?" Click yes. If you don't get this warning, you are in the wrong location. Find the right location. (The above path is for Windows XP.)
-Open MBAM by double clicking on the desktop icon. (It is cerise/maroon in colour, with a white M)
-Command it to run a quick scan. At the end of the scan it will produce a report.
-Place a tick in the box beside everything it finds and select "remove selected". If you are prompted to reboot to finish removal, please do so promptly.
-Try your computer for connection.
-Please post the scan report.

Hope this works.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 12:23:41 AM
good idea on getting the latest version of mbam onto the other computer but ive installed it and not seeing this rules.ref file in the folder at all?
appreciate the help
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 12:38:11 AM
What OS is the good computer, mike?
Try clicking "start" then "search", and typing in "rules.ref" (in category all files and folders). Command it to look in hidden and system files.
Should produce a result.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 12:42:20 AM
yeah im not seeing the usual option to search hidden files :/
its windows 7
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tipton on December 04, 2009, 12:44:03 AM
This is the perfect example as to WHY everyone should be using imaging software. I constantly push imaging software, and seem to get ignored. It must be that people would rather have disasters on their system so they can complain about them. Imaging software is so common place now that they include it in Vista and Win 7 as part of the OS. In my opinion, if you are not using imaging software, then you have no right to complain about any of this. And for all the people going off on a rant and wanting compensation for what happened, I hope you get back exactly what you gave........nothing if you are using the free version.

I got all the popups last night warning me, and I just clicked the X up in the corner and kept using my system. I knew right away they were FP's, and that it would get fixed. So, this morning I restored from an image I created two days ago, updated Avast virus data base, and it was just like nothing happened.

Take control of your PC people, and quit complaining. If your system got trashed by this human mistake, then shame on you for not backing up your operating system and software.  
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 12:48:57 AM
Got it, wasn't showing hidden files
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 01:02:34 AM
Excellent.
I'd be interested in the path to that file in Windows7, for sure. Just copy and paste it from the address bar, if you wouldn't mind.
Let me know how the scan goes, as per previous lengthy instructions post.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 01:17:10 AM
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware   was the location of the rules.ref

Did all that, ran a quick scan with the updated version and it found nothing at all malicious, worth a full scan or not?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 01:24:24 AM
That Alureon sounds pretty malicious!
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: crumply on December 04, 2009, 01:50:27 AM
Goldenst8r did a good job articulating what happened.  Avast told me to do a boot scan.  It then filled up the virus chest.  The only option is saw was to delete infected files.  I cannot post the list of deleted files, because it exceeds the allowable character limit.  It's about 1,000 files.  What should I do now?  Reformat and start over?  Are the deleted files really deleted?





Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 04, 2009, 02:08:51 AM
Full scan done, nothing found. I assume you dont want the log posting as it didn't find anything?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 02:26:14 AM
mikereid,
Yes, that Alureon does look pretty nasty. (Fortunately, I've never encountered the beast.)
It would be good to post the scan report, it might contain information that is of use.
Next thing, what VPS version does your Avast have (on the sick computer)? If it is 091203-1 it can be re-enabled (if it had been disabled), the providers resumed, and started.
Once it is started, go to the chest and please post the original filenames/locations of the malotob and alureon detections. Re-scan them, and post the result.

crumply, see your similar question. (http://forum.avast.com/index.php?topic=51658.msg437032#msg437032) Since no-one has added to it, it would appear that my answer is probably correct, or at least a reasonable way to proceed.
Deleted files, AFAIK, simply have the headers removed, so that they can not be read by the OS. The file body remains on the hard drive until over-written by new data. (Windows does not see the file there, so happily considers it free space.)
You could also try a program like Recuva (http://www.piriform.com/recuva), by Piriform, to attempt recovery of these files. It would stand a fairly good chance of working, I'd think, but could be a laborious process. If it were me, I'd only do that for files I couldn't afford to loose.
But I also use a backup imaging program so I am not particularly knowledgeable about recovery programs. Haven't had to use one in a long time.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Bama158 on December 04, 2009, 07:32:32 AM
Most virus alert questions seem to be here, and I have one.

I have one restored file that belongs to a Security Program. That program would not work till I extracted the file from the Virus chest. Now the program works just fine I did a scan etc etc., and all seemed fine, but here is the kicker. I downloaded the same security program in prep for a new install and was going to remove the old one since it was involved in this thing. I went to add/remove it tells me I cannot because it has already been uninstalled, and wants to know do I want to remove it from the list. I tell it NO of course. Went to CCleaner to use their tools to uninstall got same message of sorts that they cannot find it?

Now the big Q? Will It be safe to do a system restore, and have it back the way it was before this occured. I only had two files in the chest. One security and the other a file from Irfanview, which is no big concern, but the security program sure is. Even though the program is working I want it out of the computer because I dont trust it now, and I know the thing is not right yet, or I could uninstall it in add/remove.

Thanks very much for any info here,

Bama :)
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 11:31:23 AM
Bama158,
what is the program concerned? There might be a purpose built uninstaller for it.
Or you could try (using the original installed- not the new one) re-installing it.

Why do you no longer trust this program?
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jayweb44 on December 04, 2009, 02:54:37 PM
Well this has been the worst thing possible for my computer but I was able to get it somewhat restored after many hours fixing everything.  Unlike some others, I did let it reboot to scan the memory since I really like to deal with virus's when they hit.  After 8 hours of scanning and checking the options for each virus found, Avast had found a total of 848 files infected!  Most of these were system files that could not be restored from the chest and most of these were deleted right away by Avast.  I only had a handful of programs that needed to be restored but I'm not sure of the long term effects of this Avast error.  As of now Windows is finally bootable with little or no visible problems.  So time will tell.  I'm just glad that it was false and that I really didn't have this bad trojan on my system.  I'm usually very careful with my system and I hadn't had a major virus for over a year.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Bama158 on December 04, 2009, 05:54:56 PM
Good Morning Tarq,

The program is the FREE Iobit360. I have installed and uninstalled this program on many computers. There is no special uninstall for it. The reason  (although it is working just fine as I checled the whole program ...ran a quick scan etc) After I extracted the file to the desktop and saw that the program was working..I had previously downloaded a new copy to the desktop for installation after I removed the old copy of the program. When I went to add/remove and also in the tools of CCleaner both tell me it is not there, and do I want to remove it from the list. These are not exact words of the popup but essentially the same. Do you think that it is possible that because I extracted the file to the wrong place is the cause I am getting this message. Maybe it is in the wrong place and is not recognized by add/remove ..etc. The file was not originally on the desktop and maybe thats the problem.

When this attack was happening Iobit360 would not work, and I knew why because the file was in the chest, but a member had put it there before she came to chatroom for help. I was in remote on her computer when the thing was at its worst, and I realized this is bogus, and I never put anything in chest. There was only two files in the virus chest. I assume she sent there before she came in. If I can go to add/remove and not get that popup that the program is not there.. then I have no problem with keeping the program, but being security program I don't like the fact that it was involved in this.

Thank you very much for the help,

Bama
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: oddfunk on December 04, 2009, 06:18:52 PM
What error message (or code) did you get for these files?

FileID: 0000000044  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swxcacls.exe
FileID: 0000000043  Program cannot restore the following file, because the original location is not defined: C:\Documents and Settings\All Users\Documents\network share\SmitfraudFix\swreg.exe
FileID: 0000000057  Program cannot restore the following file, because the original location is not defined: C:\hp\recovery\wizard\SWR_Wizard.exe
FileID: 0000000138  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swxcacls.exe
FileID: 0000000137  Program cannot restore the following file, because the original location is not defined: C:\WINDOWS\system32\swreg.exe
FileID: 0000000113  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023644.exe
FileID: 0000000104  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023635.exe
FileID: 0000000094  Program cannot restore the following file, because the original location is not defined: C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\A0023625.exe

Interesting. I'd recommend using the "Extract" feature (instead of "Restore") and put the files in their respective locations manually. At least for the files outside System Volume Information, it should work OK.

Now for the files in System Volume Information is may be a bigger problem because you won't have access rights to write to this location (only the SYSTEM account has them). But the files are not important anyway, unless you plan to do a system restore (in which case it wouldn't restore the three executables)..

Thanks
Vlk

For the most part, this is what happened with mine last night during the boot scan so I will follow your advice when I get home.  As soon as Avast notified me of a virus warning, it suggested and do a bootscan which I did.  "Ignore" was the only option that worked during the scan.  Once I logged in, I ran Malwarebytes, but during this time I guess Avast was still running in the background and alertiing me from time to time that I had a virus was found in such-n-such file.  I believe that a couple of the files could not be moved to chest and were therefore renamed with the "vir" extension and then moved to chest.  Are these files possible to extract and/or restore since they have been renamed?  How do I get the original file name for them?  Sorry if the questions seem stupid, but I'm really not an advanced user and just converted to Avast about a week ago.  I was only on my computer for about 30 minutes after everything was moved over to chest and everything seemed to be working OK.  I haven't looked at or done anything with the files that are in the chest yet so please advise.   Thank you.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Tarq57 on December 04, 2009, 08:12:45 PM
Bama158,
Any file that belonged to a particular program, once quarantined (sent to the chest) must be extracted back to it's original location for the program to work correctly. Personally I would re-scan the file to make sure it is clean, and then restore it. If the original location was a "moved" location, ie: you had already placed it somewhere else like the desktop, it needs to be restored to its correct program directory.
(I hope you know where that is, there are a few different folders it could belong in.)

What is the full name (and original path, if you have it) of the file concerned?

The fact that Iobit was involved in this seems purely collateral to me. An innocent bystander that just happened to step into the path of a bullet.
The fact that it won't uninstall may not be its fault.
The recent controversy about Iobit somehow happening to fluke the same definitions as MBAM would probably be enough incentive for me to not install it. But that's just me.
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: jwwing on December 04, 2009, 08:26:42 PM
I was loading WordPerfect Office X4 when the avast updated apparently and immediately got the Win32:DELF-MZG trojan. I thought from the install CD! So I moved the affected file, and received a dozen or so more warnings. Some of the files wouldn't move so I deleted them. When I was done, since I had just cloned my drive in this computer, I put the old drive back in and tried again. I updated the avast and immediately got a virus warning so thought that the drive had already been infected before. I stopped the action and told it to restart with a boot scan etc. I immediately started getting errors, so I decided if they had been there all this time they wouldn't hurt, so I terminated the boot scan and after the computer was up, I went out to the internet for info on the trojan. There I found the false positive notice on some blogs.

I put the old hdd back in, but there were several deleted files which didn't seem to bother anything - I restored what would, several would not restore. If I knew which they were, I would try the extract. 1) Is there any way that I can find out which files were deleted? 2) If I do another restore, will that affect the files if they have changed since (this would be so that I know which files to extract)?

I did find that the bug had caused me to not be able to read from the cd to fix the install of the WP X4 so after several hours of trying I gave up and tried to remove it. That wouldn't work either. By the next day I got the update of avast and tried again to remove the WP. This time I discovered that I could copy the missing files, reinstalled them and got the WP to install correctly. Now it would not stay up, WP has encountered a problem and must close. I found the file that they would report to MS and read it. The file was an HP printer dll which I got another copy of and saved to the machine. Now it works again!!

I sure hope this problem doesn't kill the company who provides avast! I know I am pretty put out, but would be incensed if I had had more debilitating problems.

Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: Bama158 on December 04, 2009, 08:56:06 PM
Thank you very much Tarq, and I understand you are a bystander. I work for a FREE computer helps website, and lots of our help comes from members who have either used a program, and can help with an issue another member posts for help. Not to say we don't have three of the best Techs. I must say educated Techs, but I am not one of those, even thought I have been taught plenty by one of them. We have been doing this for 6 years. Why FREE? because we are retired and can, and we like to help our members fray the cost of going to a shop and getting it repaired

Having said that, the computer in question is a member that I am in remote working on. Not at the present moment, but from 7-11pm est every night in our chat room. What you are saying is what I was thinking is my problem in the first place. I tried to restore the file and then things would have been peachy, but got an error so went to step 2 and extracted, and the file is NOT in its original place, so thats the problem, and  I will fix it tonight. I should have written down the file path, but I didn't so will get it tonight when I go on her computer again.

We promote Freeware and use it ourselves. A few years back when I paid for everything McAfee sold.. I got WinFixer2005, and there was no fix for it. I fought that thing one night with the help of my friend on IM, and I swore after I get my computer clean I will never pay for security again. I eventually had to reinstall Windows because of that, because the Tech nor I could find anything to get rid of it. Right now I am testing AVG 9 Free, so I got out of the Avast virus alert, simply because I had to uninstall Avast to test AVG 9 Free....Lucky, me.

Thanks for listening, and you have a good day,

Bama
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: 2km3 on December 07, 2009, 08:25:50 PM
This is a perfect example of someone who is more concerned of there own existance than others.  A persistance to annoy, and possible an indifference to help.....  I have a question for you... how large is your image and how many programs do you have currently running on your system.  For some that is not an option unless you want to build 20gb partitions every two days by your operand.  People do not need to be insulted at a time like this.  I agree with some of what you have to say but lose the pessimistic attitude.

This is the perfect example as to WHY everyone should be using imaging software. I constantly push imaging software, and seem to get ignored. It must be that people would rather have disasters on their system so they can complain about them. Imaging software is so common place now that they include it in Vista and Win 7 as part of the OS. In my opinion, if you are not using imaging software, then you have no right to complain about any of this. And for all the people going off on a rant and wanting compensation for what happened, I hope you get back exactly what you gave........nothing if you are using the free version.

I got all the popups last night warning me, and I just clicked the X up in the corner and kept using my system. I knew right away they were FP's, and that it would get fixed. So, this morning I restored from an image I created two days ago, updated Avast virus data base, and it was just like nothing happened.

Take control of your PC people, and quit complaining. If your system got trashed by this human mistake, then shame on you for not backing up your operating system and software.  
Title: Re: If you are getting virus alerts please read! (Win32:Delf-MZG (Trj))
Post by: mikereid on December 08, 2009, 02:02:36 AM
Hello there sorry for the delay in a reply, was away for the weekend

Tarq, alureon was in system32\drivers\putobymspjqvrent.sys
        mal0b in documents & settings\HP_administrator\local settings\temp\~.exe

Computer still running fine, and strangely my internet is working ok now - but not with IE as usual - thats still not working
However i randomly downloaded firefox on my mums pc, installed it on here an it works!

Still would prefer IE working but this is better than nothing
Do you suggest a clean IE install? How do i go about removing IE completely?

My avast is version 091207-0, todays version, but it only seems to update automatically, not on demand as it were, when it cant seem to connect

MBAM can't connect when i try to update that also, cant connect to the Itunes store either for example, so connectivity is still clearly an issue, but just getting firefox and browsing working on here was a relief